topic Re: Cisco ISE Authorization issue in Network Access Control

Cisco ISE Authorization issue

jm.virtual01 — Tue, 20 Nov 2018 05:58:40 GMT

Hello,

I am working on Cisco ISE 2.2. The issue is that when I have connected multiple devices at through HUB or desktop switch. The connected device got authentication through MAB, that's I need but the other connected device should e authenticate with dot1x

But that device is kept requesting for the authentication multiple times so it quaring multiple time and utilize more resources.

When I check the logs from the switch side, I found the dot1.x failed logs and at the cisco ise side, I can see the session but not the authentication pass.

I do not know, how can I solve this problem? Is there any suggestion.

Also one more question, I am trying to deploy the multi-auth. configuration, can anyone provide me a guideline, how can I deploy it?

Re: Cisco ISE Authorization issue

ognyan.totev — Tue, 20 Nov 2018 06:32:51 GMT

Hi , please share port config on switch side , to see what is configured and share authentication and authorization policy .

I think you have misconfig

Re: Cisco ISE Authorization issue

jm.virtual01 — Wed, 21 Nov 2018 03:28:02 GMT

The configuration on the switch,

interface gi yy
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
device-tracking attach-policy IP_Dev
no logging event link-status
load-interval aa
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level
storm-control multicast level
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
end

On the switch, i can see the following logs,

1: Nov 11 14:06:55.769 EST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx
EST: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx
: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet x/x, new MAC address (0015.5d) is seen.AuditSessionID 5Atx

It is hitted to unknown MAB authentication policy.

This is happens only for the Dynamic MAC device.

Your advice please.

Re: Cisco ISE Authorization issue

ognyan.totev — Wed, 21 Nov 2018 05:28:53 GMT

If the mac addres is unknown this is normal behaviour. What radius live logs you see ,we cant help if you not share more information

Re: Cisco ISE Authorization issue

jm.virtual01 — Mon, 26 Nov 2018 13:31:54 GMT

What the information that you need to investigate this issue in depth?

I have shared you the port config and logs from Switch and ISE end.

Re: Cisco ISE Authorization issue

ognyan.totev — Mon, 26 Nov 2018 13:48:52 GMT

We need to see radius live logs from ISE

Re: Cisco ISE Authorization issue

jm.virtual01 — Mon, 26 Nov 2018 14:30:40 GMT

Here are the live radius logs for some devices. And when i go to the details for the authentication from the live log page, it shows me some steps

11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Stage
	15004	Matched rule - MAB
	15041	Evaluating Identity Policy
	15006	Matched Default Rule
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore -
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	15048	Queried PIP - EndPoints.LogicalProfile
	24432	Looking up user in Active Directory - acct.XXXX.net
	24325	Resolving identity -
	24313	Search for matching accounts at join point - XXXX.net
	24318	No matching account found in forest - XXXX.net
	24367	Skipping unusable domain - YYYY.net,Domain trust is one-way
	24367	Skipping unusable domain - mgmt.XXXX.net,Domain trust is one-way
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed - ERROR_NO_SUCH_USER
	24412	User not found in Active Directory - acct.XXXX.net
	15048	Queried PIP - acct.XXXX.net.ExternalGroups
	15004	Matched rule - XXXX Printers
	15016	Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
	15016	Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
	15016	Selected Authorization Profile - PermitAccess,Printer,AuthZ_Reauth_timer_12hrs
	11002	Returned RADIUS Access-Accept

Time

Status

Repeat Count

Identity

Endpoint ID

Endpoint Profile

Authentication Policy

Authorization Policy

Authorization Profiles

IP Address

Network Device

Device Port

Identity Group

17:32.0

Session

2200

00:0F:E7:07:4B:EB

XXXX_Lutron_Electronics

XXXX Wired NAC Policy - Monitor >> MAB >> Default

XXXX Wired NAC Policy - Monitor >> XXXX Environmental Device

PermitAccess,XXXX_Environmental,AuthZ_Reauth_timer_12hrs

GigabitEthernet0/14

17:31.7

Session

2113

C8:CB:B8:0D:9A:F4

Windows7-Workstation

XXXX Wired NAC Policy - Monitor >> MAB >> Default

XXXX Wired NAC Policy - Monitor >> XXXX F5 CMDB Prod

PermitAccess,AuthZ_Reauth_timer_18hrs

20.30.155.221,0xffd5150958

GigabitEthernet/2

17:31.4

Session

1705

00:1E:CA:FE:CE:60

Nortel-Device

XXXX Wired NAC Policy - Monitor >> MAB >> Default

XXXX Wired NAC Policy - Monitor >> XXXX Voice Hardware

PermitAccess,XXXX_Voice_Hardware,AuthZ_Reauth_timer_12hrs

20.254.118.43

GigabitEthernet0/29

Re: Cisco ISE Authorization issue

ognyan.totev — Tue, 27 Nov 2018 05:33:56 GMT

Hi , as i see you use multi domain this will allow only 1 mac address on data vlan and 1 mac address on voice vlan . If you dont have global config authentication mac move permit it will always fail. You can try port config with authentication host multi auth.

Re: Cisco ISE Authorization issue

paul — Tue, 27 Nov 2018 12:53:28 GMT

Many switches don't pass 802.1x frames correctly, have you verified you have a switch/hub that does? I am not talking about the switch you are running authentication on, I am referring to the switch/hub you have hanging off that switch where these devices are plugged into.

Re: Cisco ISE Authorization issue

jm.virtual01 — Tue, 27 Nov 2018 13:22:19 GMT

I never checked how can i check that thing? On some location there is some specific devices are connected int he network such as HVAC devices for Heat and Vacuum and these devices are connected through the some Intel device. Also there is some other specific devices such as Lab Devices and Monitor Devices.

Re: Cisco ISE Authorization issue

paul — Tue, 27 Nov 2018 13:29:04 GMT

If you take the same 802.1x device that is failing when connected to the hub/switch and plug it directly into the Cisco switch running authentication and it works then most likely the issue is with the hub/switch no passing 802.1x frames correctly.

Re: Cisco ISE Authorization issue

Surendra — Tue, 27 Nov 2018 20:21:39 GMT

If you have a hub connected and there are multiple devices connected behind it , "authentication host-mode multi-auth" does not really the case. You will have to use "authentication host-mode multi-auth". What this does it, it authenticates every device that is connected behind the port. I mean every mac address that is connected behind the port including the hub.

If you configuration is more like below, the performance of the authentication process increases and you would not see those security violations as well.

interface gi yy
switchport access vlan xxx
switchport mode access
switchport voice vlan yyy
device-tracking attach-policy IP_Dev
no logging event link-status
load-interval aa
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level
storm-control multicast level
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
end

For more information on what these modes are and what they mean, here is the document that might help you :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/XE3-9-0E/15-25E/configuration/guide/xe-390-configuration/dot1x.pdf

Re: Cisco ISE Authorization issue

jm.virtual01 — Wed, 28 Nov 2018 18:17:14 GMT

Yes, may be multi auth solve the issue. But have one question about the authentication order.

authentication order mab dot1x

I believe, we should keep the authentication order as per the priority. I am not sure, can you share your ideas on it?

Why i need to keep the authentication order as you mentioned in your reply? I am very interested about it so can you educate me on this.